Frontmatter

©November 1999, The Open Group All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, without the prior permission of the copyright owners.

Any comments relating to the material contained in this document may be submitted to The Open Group at:

The Open Group
Apex Plaza
Forbury Road
Reading
Berkshire, RG1 1AX
United Kingdom

OGSpecs@opengroup.org

Preface

The Open Group

The Open Group is the leading vendor-neutral, international consortium for buyers and suppliers of technology. Its mission is to cause the development of a viable global information infrastructure that is ubiquitous, trusted, reliable, and easy-to-use. The Open Group creates an environment where all elements involved in technology development can cooperate to deliver less costly and more flexible IT solutions.

Formed in 1996 by the merger of the X/Open Company Ltd. (founded in 1984) and the Open Software Foundation (founded in 1988), The Open Group is supported by most of the world's largest user organizations, information systems vendors, and software suppliers. By combining the strengths of open systems specifications and a proven branding scheme with collaborative technology development and advanced research, The Open Group is well positioned to meet its new mission, as well as to assist user organizations, vendors, and suppliers in the development and implementation of products supporting the adoption and proliferation of systems which conform to standard specifications.

With more than 200 member companies, The Open Group helps the IT industry to advance technologically while managing the change caused by innovation. It does this by:

• Consolidating, prioritizing, and communicating customer requirements to vendors

• Conducting research and development with industry, academia, and government agencies to deliver innovation and economy through projects associated with its Research Institute

• Managing cost-effective development efforts that accelerate consistent multi-vendor deployment of technology in response to customer requirements

• Adopting, integrating, and publishing industry standard specifications that provide an essential set of blueprints for building open information systems and integrating new technology as it becomes available

• Licensing and promoting the Open Brand, represented by the "X" Device, that designates vendor products which conform to Open Group Product Standards

• Promoting the benefits of open systems to customers, vendors, and the public.

The Open Group operates in all phases of the open systems technology lifecycle including innovation, market adoption, product development, and proliferation. Presently, it focuses on seven strategic areas: open systems application platform development, architecture, distributed systems management, interoperability, distributed computing environment, security, and the information superhighway. The Open Group is also responsible for the management of the UNIX trademark on behalf of the industry.

Development of Product Standards

This process includes the identification of requirements for open systems, development of Technical Standards (formerly CAE and Preliminary Specifications) through an industry consensus review and adoption procedure (in parallel with formal standards work), and the development of tests and conformance criteria.

This leads to the preparation of a Product Standard which is the name used for the documentation that records the conformance requirements (and other information) to which a vendor may register a product.

The "X" Device is used by vendors to demonstrate that their products conform to the relevant Product Standard. By use of the Open Brand they guarantee, through the Open Brand Trade Mark License Agreement (TMLA), to maintain their products in conformance with the Product Standard so that the product works, will continue to work, and that any problems will be fixed by the vendor.

Open Group Publications

The Open Group publishes a wide range of technical documentation, the main part of which is focused on development of Technical Standards and product documentation, but which also includes Guides, Snapshots, Technical Studies, Branding and Testing documentation, industry surveys, and business titles.

There are several types of specification:

• Technical Standards (formerly CAE Specifications)

  The Open Group Technical Standards form the basis for our Product Standards. These Standards are intended to be used widely within the industry for product development and procurement purposes.

  Anyone developing products that implement a Technical Standard can enjoy the benefits of a single, widely supported industry standard. Where appropriate, they can demonstrate product compliance through the Open Brand. Technical Standards are published as soon as they are developed, so enabling vendors to proceed with development of conformant products without delay.

• CAE Specifications

  CAE Specifications and Developers' Specifications published prior to January 1998 have the same status as Technical Standards (see above).
  

• Preliminary Specifications

  Preliminary Specifications have usually addressed an emerging area of technology and consequently are not yet supported by multiple sources of stable conformant implementations. They are published for the purpose of validation through implementation of products. A Preliminary Specification is as stable as can be achieved, through applying The Open Group's rigorous development and review procedures.

  Preliminary Specifications are analogous to the trial-use standards issued by formal standards organizations, and developers are encouraged to develop products on the basis of them. However, experience through implementation work may result in significant (possibly upwardly incompatible) changes before its progression to becoming a Technical Standard. While the intent is to progress Preliminary Specifications to corresponding Technical Standards, the ability to do so depends on consensus among Open Group members.
  

• Consortium and Technology Specifications

  The Open Group publishes specifications on behalf of industry consortia. For example, it publishes the NMF SPIRIT procurement specifications on behalf of the Network Management Forum. It also publishes Technology Specifications relating to OSF/1, DCE, OSF/Motif, and CDE.

  Technology Specifications (formerly AES Specifications) are often candidates for consensus review, and may be adopted as Technical Standards, in which case the relevant Technology Specification is superseded by a Technical Standard.

In addition, The Open Group publishes:

• Product Documentation

  This includes product documentation-programmer's guides, user manuals, and so on-relating to the Pre-structured Technology Projects (PSTs), such as DCE and CDE. It also includes the Single UNIX Documentation, designed for use as common product documentation for the whole industry.

• Guides

  These provide information that is useful in the evaluation, procurement, development, or management of open systems, particularly those that relate to the Technical Standards or Preliminary Specifications. The Open Group Guides are advisory, not normative, and should not be referenced for purposes of specifying or claiming conformance to a Product Standard.

• Technical Studies

  Technical Studies present results of analyses performed on subjects of interest in areas relevant to The Open Group's Technical Program. They are intended to communicate the findings to the outside world so as to stimulate discussion and activity in other bodies and the industry in general.

Versions and Issues of Specifications

As with all live documents, Technical Standards and Specifications require revision to align with new developments and associated international standards. To distinguish between revised specifications which are fully backwards compatible and those which are not:

• A new Version indicates there is no change to the definitive information contained in the previous publication of that title, but additions/extensions are included. As such, it replaces the previous publication.

• A new Issue indicates there is substantive change to the definitive information contained in the previous publication of that title, and there may also be additions/extensions. As such, both previous and new documents are maintained as current publications.

Corrigenda

Readers should note that Corrigenda may apply to any publication. Corrigenda information is published on the World-Wide Web at http://www.opengroup.org/corrigenda.

Ordering Information

Full catalog and ordering information on all Open Group publications is available on the World-Wide Web at http://www.opengroup.org/pubs.

This Document

The Common Data Security Architecture (CDSA) is a set of layered security services that address communications and data security problems in the emerging Internet and Intranet application space. It is designed to provide interoperable security standards covering the essential components of security capability.

The CDSA Technical Standard is organized into 15 parts, each addressing specific aspects of the architecture, and catering for the needs of several distinct audiences (see Intended Audience below). Due to this "parts" structure, there is a certain amount of duplication of information. However, it is considered that the benefit to the reader of presenting all the information they are likely to require within self-contained Parts outweighs any disadvantages in duplication of information.

Most of the parts are normative, defining programming interfaces. Those that are non-normative (descriptive, for added information) are clearly identified as such.

The 15 parts are as follows:

• Part 1: Common Data Security Architecture (CDSA)

  Presents the overall CDSA architecture, with emphasis on the Common Security Services Manager. It explains the four-layer architecture as consisting of:

  1. Applications

  2. Layered services and middleware

  3. Common Security Services Manager (CSSM) infrastructure

  4. Security service provider modules

• Part 2: Common Security Services Manager (CSSM) API

  Defines the base application programming interfaces available in all CSSM implementations, as follows:

  • CSSM Core Services API
    defines functions implemented by CSSM. These include module management functions (applicable to all types of modules), security context management functions, and integrity verification functions.

  • Cryptographic Services API
    defines functions that perform encryption, digital signature digests, signature generation and validation. These functions access the cryptographic service providers (tokens) within the context of a cryptographic session.

  • Trust Policy Services API
    defines functions that can be used for determining a level of trust before performing a syntactic operation on a certificate. A trust policy may determine whether or not a given certificate is authorized to sign other certificates.

  • Authorization Computation Services API
    defines functions that can be used for answering the questions "Is subject S authorized to perform operation O on protected resource R?". Callers provide a basic set of assumptions representing their policy, the requester's credentials and samples, the requested operation on the target resource. The module can compute a "yes or no" response based on the caller-provided information.

  • Certificate Library Services API
    defines functions that perform syntactic, format-specific operations on certificates and certificate revocation lists (CRLs). The certificate library module performs data format-specific operations, such as creating a new certificate from a list of tag-value pairs.

  • Data Storage Library Services API
    defines functions that manage and access persistent data about security-related objects, such as certificates and certificate revocation lists. The mechanism used for persistence is assumed to be transparent to the calling application.

  In addition, Appendix A describes the error handling functions for use by add-in service modules, applications, and components of CSSM; and Appendix B describes memory management in CSSM as it relates to the application's usage.

• Part 3: Module Directory Services

  Defines the module directory services (MDS), which provides a platform-independent registry service designed to support secure loading and secure use of software modules. MDS is a system-wide service available to all processes. CDSA is a seminal user of MDS. MDS defines a basic Object Directory schema to name and locate software components and the signed manifest credentials associated with those software components. Each software component in the Object Directory is uniquely named by a GUID (Globally Unique ID). CDSA defines an additional set of schemas to store CDSA-specific security attributes of all CDSA components. CDSA components use the MDS-managed data to:

  • Discover other available CDSA components

  • Learn about the capabilities and properties of other CDSA components

  • Locate the executables for CDSA components

  • Locate the signed manifest credentials associated with a CDSA software component.

• Part 4: CSSM Key Recovery API

  Defines the elective application programming interface that applications and other add-in service modules can use to access key recovery services. Applications use these services explicitly. CSSM dynamically incorporates extended services when required. From the application's perspective, basic services and elective services are accessed through the CSSM in the same manner.

• Part 5: CDSA Embedded Integrity Services Library API

  Defines the application programming interfaces provided by the static Embedded Integrity Services Library (EISL). These services are available to applications, add-in security service modules, and to CSSM itself. This also includes documentation of the bilateral authentication procedure for integrity and identity checks between two parties, and the specification of manifests as an aggregator of heterogeneous signed objects.

• Part 6: CDSA Signed Manifest Specification

  Part 6 is descriptive, for information only. It defines the structure and use of signed manifests, and how to construct and verify them. A manifest aggregates the description of the integrity of a set of heterogeneous signed objects. A manifest is one of the credentials required for each dynamic component of the CDSA.

• Part 7: CDSA Object Identifiers for Certificate Library Modules

  Applications using a single type of certificate can choose among Certificate Library Service Modules only if those service modules process those certificates in a standard manner. General interoperability is difficult to achieve. This Part defines standard Object Identifiers (OIDs), that if adopted will enable data-level interoperability, by allowing an application to extract values from certificates and CRLs in a uniform manner, regardless of which certificate library module is used to access the certificate.

• Part 8: CSSM Elective Module Manager

  Defines CSSM-internal interfaces for elective module managers. These interfaces include installation, dynamic attach, function registration, and mechanisms for state sharing among module managers.

• Part 9: CSSM Add-In Module Structure and Administration

  Defines the architecture and management interfaces for all add-in security service modules. Modules must implement this interface to dynamically attach to CSSM and provide their services to applications through the CSSM APIs.

• Part 10: CSSM Cryptographic Service Provider Interface

  Defines the interface that cryptographic service providers must provide in order to be accessible via CSSM.

• Part 11: CSSM Trust Policy Interface

  Defines the functions that a Trust Policy module makes available to applications via the CSSM.

• Part 12: CSSM Authorization Computation Interface

  Defines the interface that applies access control - authentication and authorization - that a caller can present to service providers when operating on objects whose access is controlled by the service provider.

• Part 13: CSSM Certificate Library Interface

  Defines the interface that certificate libraries must provide in order to be accessible via CSSM.

• Part 14: CSSM Data Storage Library Interface

  Defines the interface that a data storage library must provide in order to be accessible via CSSM.

• Part 15: CSSM Key Recovery Interface

  Defines the service provider interface that key recovery modules must provide in order to be accessible as an elective service via CSSM.

A glossary and index are also provided.

Intended Audience

Part 1 provides an overview of the CDSA for Independent Software Vendors (ISVs), Independent Hardware Vendors (IHVs), and platform vendors who develop security products as complete applications in a monolithic environment.

The intended audience for each part of this document is:

Part 2

This is intended for use by Independent Software Vendors (ISVs) who develop their own application code to interact with CSSM services. These ISVs are highly experienced software and security architects, advanced programmers, and sophisticated users, familiar with network operating systems and high-end cryptography. It is assumed that this audience is familiar with the basic capabilities and features of the protocols they are considering.

Part 3

This part is intended for

• Engineers developing installation tools for CDSA components

• Application developers who must dynamically select CDSA security service providers to support their application

• Engineers developing or porting an implementation of CSSM.

Module Directory Services can be used by applications outside of CDSA. To this end, MDS is of interest to all application developers.

Part 4

This part is intended for use by Independent Software Vendors (ISVs) who develop exportable and importable application code to interact with CSSM services. These ISVs are highly experienced software and security architects, advanced programmers, and sophisticated users. They are also familiar with local and foreign government regulations on the use of cryptography and the implication of those regulations for their applications and products.

Part 5

This part is intended for Platform Vendors and Independent Software Vendors (ISVs) who want to enhance product security by including integrity and authentication checks in the core of their products. These developers must have a good understanding of:

• The principles of integrity and authentication in an executing software environment

• The role of digital credentials in authenticating a software object

• The structure of a secured manufacturing environment for authenticate-able software products

It is also assumed that these developers have a working knowledge of signed manifests as digital credentials.

Part 6

This part is essential for all developers whose products involve the expression and/or validation of the integrity of a collection of digital objects. This includes those developing:

• Add-in security service modules for CSSM

• Elective Module Managers for CSSM

• Applications that:

  • Package a collection of digital objects or services

  • Make assertions about a collection of digital objects or services

  • Verify the integrity of a collection of digital objects or services

  • Establish trust in the assertions being made about a collection of digital objects or services

Part 7

This part is intended for Independent Software Vendors (ISVs) and application writers, who want to develop interoperable X.509 certificate services, regardless of which certificate library module is used to access the certificate.

Part 8

This part is intended for Independent Software Vendors (ISVs) who want to develop categories of security services different from the four basic CSSM service categories: trust policy, certificate library, data storage library, and cryptographic services. These ISVs should be highly experienced software and security architects and advanced programmers. This audience is familiar with high-end cryptography, digital certificates, and features of the security protocols they are considering.

Part 9

This part is intended for Independent Software Vendors (ISVs) who want to develop their own add-in modules to support one or more of the CSSM Service Provider Interfaces. These ISVs should be highly experienced software and security architects, advanced programmers, and sophisticated users. They are familiar with data storage systems, high-end cryptography, and digital certificates. It is assumed that this audience is familiar with the basic capabilities and features of the protocols they are considering.

Part 10

This part is intended for Independent Software Vendors (ISVs) who want to develop CSSM add-in service modules providing cryptographic services such as digital signing and verification, encryption and decryption, digesting, key generation, and random number generation. These developers must have a thorough understanding of:

• The cryptographic algorithms they intend to implement

• Standard formats for cryptographic keys

• All legal constraints on their product defined by the government of their local jurisdiction

It is also assumed that these developers have a working knowledge of how the cryptographic services they provide can be used to provide integrity, authentication, confidentiality, and non-repudiation of data and actions.

Part 11

This part is intended for security software developers who want to develop their own Trust Policy module. These developers should be familiar with cryptography and digital certificates. This document assumes the reader is familiar with the basic capabilities and features of security protocols associated with authentication, integrity and privacy. These developers should be highly experienced software architects, advanced programmers, or sophisticated users, who have a strong understanding of public-key infrastructures.

Part 12

This part is intended for Independent Software Vendors (ISVs) who want to use the CDSA's Authorization Computation module to implement an authorization evaluation mechanism based on caller inputs. These inputs will include the assumptions forming the basis of the caller's policy, the request for which authorization is being checked, and the credentials, samples, and exhibits that could demonstrate authorization to perform the request.

Part 13

This part is intended for Independent Software Vendors (ISVs) who want to develop add-in service modules providing creation and manipulation of digital certificates and certificate revocation lists through the CSSM APIs. These developers should have a strong understanding of:

• One or more digital certificate standards

• Public-key infrastructures

• certification Authority (CA) protocols

• Certificate life cycle services

It is also assumed that these developers are knowledgeable users of cryptographic services.

Part 14

This part is intended for Independent Software Vendors (ISVs) who want to develop CSSM add-in service modules providing persistent storage for security-related objects, such as digital certificates, certificate revocation lists, cryptographic keys, and security policy statements. These developers should have a strong understanding of:

• Underlying storage mechanisms to be used in an implementation

• Traditional database-implementation techniques

• Data server interface protocols

It is also assumed that these developers have a working knowledge of cryptographic services.

Part 15

This part is intended for Independent Software Vendors (ISVs) who will develop products that provide key recovery services through the CSSM APIs. These ISVs are highly experienced software and security architects and advanced programmers. They are also familiar with local and foreign government regulations on the use of cryptography and the implication of those regulations for their products.

History

This is The Open Group's CDSA Version 2.0 Technical Standard, November 1999.

In December 1997 The Open Group published its first CDSA Technical Standard. This CDSA Version 2.0 supersedes the CDSA December 1997 document.

In Febuary 1998, Intel released a series of documents, all called "Common Data Security Architecture xx Specification, Release 1.2 February 1998". Titles in this Intel release included Application Programming Interface (API), Data Storage Library Interface (DLI), Add-in Module Structure and Administration, Cryptographic Service Provider Interface (SPI), Trust Policy Interface (TPI), and Certificate Library Interface (CLI). Those who licensed the reference software for this Intel documentation release 1.2 have not unnaturally refered to their implementations of it as version 1.2 of CDSA.

In May 1999, Intel released a document called "Common Security Services Manager, Application Programming Interface (API) Specification, CDSA Version 2.0 release 3.0". This had review status only.

Trademarks

Motif®, OSF/1®, UNIX®, and the "X Device"® are registered trademarks and IT DialTone^TM; and The Open Group^TM; are trademarks of The Open Group in the U.S. and other countries.

Other product and corporate names may be trademarks of other companies and are used only for explanation and to the owner's benefit, without intent to infringe.

Acknowledgements

The Open Group gratefully acknowledges the co-operative effort of participating industry leaders, led by Intel Architecture Labs., on this Common Data Security Architecture (CDSA) specification. This work was initiated by Intel Architecture Labs., and led to the development of CDSA and CSSM, having attained the support and participation of organizations such as Apple, Entrust, Hewlett-Packard, IBM, Motorola, Netscape, Sun, and Trusted Information Systems, together with the many member organizations of the PKI (Public Key Infrastructure) Task Group, who met regularly under the auspices of The Open Group.

The Open Group particularly acknowledges the detailed work contributed by Apple Computer Corporation, Intel Architecture Labs. and the IBM Corporation, to the development of this CDSA Version 2 Technical Standard.

Referenced Documents

ASN.1

ITU-T Recommendation X.200: Abstract Syntax Notation One (ASN.1).

BER

ITU-T Recommendation X.209: Basic Encoding Rules for Abstract Syntax Notation One (ASN.1).

BSAFE

BSAFE Cryptographic Toolkit, RSA Data Security, Inc., Redwood City, CA.

Cryptography

Applied Cryptography, Second Edition, Protocols, Algorithms, and Source Code in C, Bruce Schneier: John Wiley & Sons, Inc., 1996.

Cryptography Usage

Handbook of Applied Cryptography, Menezes, A., Van Oorschot, P., and Vanstone, S., CRC Press, Inc., 1997.

DER

ITU-T Recommendation X.690: Distinguished Encoding Rules.

DSA

Federal Information Procurement Standard (FIPS) 186, Digital Signature Standard.

Key Escrow

A Taxonomy for Key Escrow Encryption Systems, Denning, Dorothy E., and Branstad, Dennis, Communications of the ACM, Vol 39, No. 3, March 1996.

OIW

Stable Implementation Agreements, Open Systems Environment Implementors Workshop, June 1995.

PKCS

The Public-Key Cryptography Standards, RSA Laboratories, RSA Data Security, Inc., Redwood City, CA.

PKIX

Public Key Infrastructure Certificate Management Protocols, IETF PKIX Working Group, 1996

SDSI

SDSI: A Simple Distributed Security Infrastructure, R. Rivest and B. Lampson, 1996.

SHA

Federal Information Procurement Standard (FIPS) 180, Secure Hash Algorithm.

SPKI

Simple Public Key Infrastructure, Internet Draft: draft-ietf-spki-cert-structure-03.txt

X.509

ITU-T Recommendation X.509: The Directory-Authentication Framework, 1988.

License Agreement for CDSA Specifications

THIS LICENSE AGREEMENT IS IN RESPECT OF THE COMPILATION OF 15 SPECIFICATIONS RELATING TO COMMON DATA SECURITY ARCHITECTURE "(CDSA)" AND COMMON SECURITY SERVICES MANAGER "(CSSM)", PUBLISHED TOGETHER BY THE OPEN GROUP UNDER THE TITLE "COMMON SECURITY: CDSA AND CSSM, Version 2", DOCUMENT NUMBER C902, ISBN 1-85912-236-1 ("THE SPECIFICATION").

YOU CANNOT USE THIS SPECIFICATION ("THE SPECIFICATION") FOR SOFTWARE DEVELOPMENT UNTIL YOU HAVE CAREFULLY READ AND AGREED TO THE FOLLOWING TERMS AND CONDITIONS. THE PERSON WHO ORIGINALLY ACQUIRED THIS PUBLICATION THROUGH THE WORLD-WIDE WEB OR AS HARD COPY EXPLICITLY AGREED TO THESE TERMS AND CONDITIONS. AS THE READER OF THIS DOCUMENT YOU ARE BOUND BY THE SAME TERMS. THE TERMS OF THIS LICENSE AGREEMENT ALSO APPLY TO REVISIONS OF THIS SPECIFICATION MADE AVAILABLE TO YOU BY THE OPEN GROUP.

LICENSE: The Open Group grants you a non-exclusive copyright license to read and display the Specification, and to use the Specification to develop and distribute a conformant software implementation of the Specification on the terms set out in this Agreement. For the avoidance of doubt, this License does not authorize you to edit, republish or distribute the Specification or create any derivative work therefrom.

CONFORMANCE: A software implementation must be and remain a complete and conformant implementation of the CSSM. A conforming implementation of CSSM provides and supports all the application programming interfaces and service provider interfaces defined in the Specification, and for each elective module the implementation must provide and support all the application programming interfaces and service provider interfaces for that module. A software implementation of CSSM may be tested for conformance using the CDSA Conformance Test Suite ("the Test Suite"), available from The Open Group web site. You are not permitted to use the Test Suite for any other purpose, nor to disclose or make any claim that any product has "passed" the Test Suite test. You can not make any claims that your software product conforms to CDSA or CSSM or the Specification unless such product is registered under the Open Brand program.

LIABILITY: THE SPECIFICATION AND ANY OTHER MATERIALS PROVIDED BY THE OPEN GROUP UNDER THIS AGREEMENT ARE PROVIDED "AS IS", AND THE OPEN GROUP MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AND EXPRESSLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, NON-INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS AND FITNESS FOR A PARTICULAR PURPOSE.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, THE OPEN GROUP HEREBY EXCLUDES ALL LIABILITY, WHETHER IN CONTRACT, TORT OR OTHERWISE, ARISING OUT OF OR RELATING TO THE USE BY ANY PERSON OF THE SPECIFICATION OR ANY OTHER MATERIAL PROVIDED HEREUNDER. IN NO EVENT SHALL THE OPEN GROUP BE LIABLE FOR ANY INDIRECT OR CONSEQUENTIAL LOSSES INCLUDING, WITHOUT LIMITATION, ANY LOSS OF PROFITS, CONTRACTS, PRODUCTION OR USE.

TERMINATION OF THIS LICENSE: The Open Group may terminate this license at any time if you are in breach of any of its terms and conditions. Upon termination, you will immediately cease use of the Specification.

APPLICABLE LAW: This Agreement is governed by the laws of England and Wales, and you hereby agree to the non-exclusive jurisdiction of the English courts.